Winamp is a skinnable, multi-format, freeware audio player made by Nullsoft.
It is available for free download from http://www.winamp.com/. Due to its
popularity, winamp has got into "Hall of Fame" on CNET's www.download.com.
The vulnerability described in this advisory could be used to spread malicious
code such as a virus within mp3 files, which are commonly very trusted.

==[ Vulnerability

Winamp is vulnerable to a buffer overflow vulnerability when processing ID3v2
tags of mp3 files. To exploit this vulnerability, a user has to add malformed
mp3 file to the Winamp playlist, and play it.
When playing mp3 file is finished, playlist is updated, and if some part of
the ID3v2 tag (e.g. ARTIST or TITLE) is too long, it is possible to overflow
value that is later used as the source address in the strcpy() function.
The strcpy() call can overflow a value (in the DATA segment) that will later,
in jump instruction, point code execution to some attacker-supplied buffer,
where malicious code can be executed.

Before it is possible to overflow important value in the DATA segment,
a simple "sanity check" has to be passed. In the next piece of asm code,
we control the EAX register (because of the first overflow), and after
returning from the function, that EAX is used as source address for
strcpy().

This "sanity check" code will test if there is a value 0x00000001 (ECX)
in memory on offset 0x9B4 from EAX address.
If that condition is true, then after returning from the function, the same
EAX content will be used as the source address in strcpy().
If the condition is false, EAX is set to a value that is located on offset
0x9B8 from current EAX register address, and the program will jump to the
begining of the loop.

To bypass that check, EAX (arg) has to be set to the address of string buffer
where on address EAX+9B4 is value 0x00000001 (val), and that string has to be
still long enough to overflow onto the "jump address". The string needs to be at
least 284 bytes long to overflow onto the "jump address" in the DATA segment.
The ID3v2 data resides in the DATA segment (that is static), and there are a lot
of 0x00000001 values in it, so it is possible to determine a static address that
will work every time for some Winamp and Windows versions.

Due to the fact that if condition EAX+9B4=0x00000001 isn't met, EAX is
set to value at address EAX+9B8 and condition would be tested again,
maybe it is even possible to create some brute-force buffer(s) that
will "scan" the memory for 0x00000001, but this is purely theoretical,
and probably unlikely.

When the "sanity check" is bypassed, strcpy() will be executed, and the "jump
address" will be overflowed. That strcpy() code is presented below.

We have tried and managed to reliably exploit this vulnerability on Windows XP
SP1 and windows 2000 SP0, with Winamp versions 5.03a, 5.09 and 5.091.

It is important to say that this vulnerability is not easy to exploit, but
with the help of static addresses from the DATA segment, it is possible to create
reliable exploit. Beside, there are few possible exploitation vectors for this
vulnerability, depending on what actions are performed by user on malformed mp3
file.
For example - in version 5.03a, if the malformed mp3 file is added to the playlist
with 'add-folder' option, it isn't needed to bypass the previously mentioned
"sanity check".

==[ Affected Version

The vulnerability was tested on Winamp versions 5.03a, 5.09 and 5.091.

==[ Fix

A patched version should be soon available for download from www.winamp.com.
Thanks to the winamp development team for good cooperation and a quick response.